Enable javascript in your browser for better experience. Need to know to enable it? Go here.
radar blip
radar blip

Open Policy Agent (OPA)

Last updated : May 19, 2020
This blip is not on the current edition of the Radar. If it was on one of the last few editions, it is likely that it is still relevant. If the blip is older, it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar. Understand more
May 2020
Trial ? Worth pursuing. It is important to understand how to build up this capability. Enterprises should try this technology on a project that can handle the risk.

Open Policy Agent (OPA) has rapidly become a favorable component of many distributed cloud-native solutions that we build for our clients. OPA provides a uniform framework and language for declaring, enforcing and controlling policies for various components of a cloud-native solution. It's a great example of a tool that implements security policy as code. We've had a smooth experience using OPA in multiple scenarios, including deploying resources to K8s clusters, enforcing access control across services in a service mesh and fine-grained security controls as code for accessing application resources. A recent commercial offering, Styra's Declarative Authorization Service (DAS), eases the adoption of OPA for enterprises by adding a management tool, or control plane, to OPA for K8s with a prebuilt policy library, impact analysis of the policies and logging capabilities. We look forward to maturity and extension of OPA beyond operational services to (big) data-centric solutions.

Nov 2019
Assess ? Worth exploring with the goal of understanding how it will affect your enterprise.

Defining and enforcing security policies uniformly across a diverse technology landscape is a challenge. Even for simple applications, you have to control access to their components — such as container orchestrators, services and data stores to keep the services' state — using their components' built-in security policy configuration and enforcement mechanisms.

We're excited about Open Policy Agent (OPA), an open-source technology that attempts to solve this problem. OPA lets you define fine-grained access control and flexible policies as code, using the Rego policy definition language. Rego enforces the policies in a distributed and unobtrusive manner outside of the application code. At the time of this writing, OPA implements uniform and flexible policy definition and enforcement to secure access to Kubernetes APIs, microservices APIs through Envoy sidecar and Kafka. It can also be used as a sidecar to any service to verify access policies or filter response data. Styra, the company behind OPA, provides commercial solutions for centralized visibility to distributed policies. We like to see OPA mature through the CNCF incubation program and continue to build support for more challenging policy enforcement scenarios such as diverse data stores.

Published : Nov 20, 2019

Download Technology Radar Volume 29

English | Español | Português | 中文

Stay informed about technology


Subscribe now

Visit our archive to read previous volumes